πŸš€ Join our AI Wargame at Black Hat Asia and our Workshop + Wargame at NDC Sydney .

DOM Based Cross Site Scripting

DOM XSS occurs when untrusted input is read from a client-side source (e.g., document.location, document.referrer, window.name, or query parameters) and is directly written into a dangerous sink in the DOM without proper sanitisation or encoding. Unlike reflected or stored XSS, DOM XSS vulnerabilities are triggered entirely in the browser by client-side JavaScript logic. An adversary can craft malicious URLs or payloads that, when loaded in a victim’s browser, execute arbitrary JavaScript with the privileges of the vulnerable web page.

Remediation

  • Avoid unsafe sinks such as innerHTML, outerHTML, document.write, eval, and setTimeout with untrusted input.
  • Use a well-vetted frontend framework (e.g., React, Angular, Vue) that automatically applies context-aware escaping and DOM sanitisation.
  • Apply context-aware output encoding (HTML, URL, JavaScript, CSS) before inserting untrusted values into the DOM.
  • Implement strict Content Security Policy (CSP) to limit the impact of injected scripts.
  • Where direct DOM manipulation is necessary, use safe alternatives like textContent or setAttribute.
  • Validate and sanitise URL parameters and other client-side data sources before processing them in the DOM.

Metadata

  • Severity: medium
  • Slug: dom-based-cross-site-scripting

CWEs

  • 79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

OWASP

  • A7:2017: Cross-Site Scripting (XSS)

Available Labs

Open Python labs in SecDim Play for this vulnerability.

Try it yourself

Find, Hack and Fix Your First Vulnerability

Reading about security bugs is one thing β€” fixing one is how the skill sticks. Play a free challenge from the wargame, no setup required.